Video Screencast Help

Running Software as System Account in Altiris ITMS 7.1 SP2

Created: 04 Jun 2012 | 2 comments

We have to deploy a software package, and post it to the software portal, that requires us to modify a registry key under the HKEY_Current_User to register the software as activated. We created a script to call the install files then import the registry keys required to unlock the program from a trial version. When depolying the software the install works successfully but the registry keys are not imported. We verifired the script works when running it manually. We also modified the script to add the keys instead of importing, with the same result: failure.

In our previous Altiris 6.9 environment, we were able to configure the software portal to have the package use the the run as "system account" option. In Altiris 7 we only have additional options to deploy the software, not when posting the software to the portal. In either case the only deployment options are a) Management Agent b) Current logged-on user c) specific user

a. registry import fails because the agent credentials can not modify the HKEY_Current_User keys for the clients, so Management Agent is not an option

b. user community doesnt have permissions to modify the registry as part of security protocols, so logged-on user is not an option

c. as with the agent credential other users can not modify the HKEY_Current_User keys for the clients, so this is not an option

Is there any way to modify the options on the software portal to allow the software package to run as the system account?

Comments 2 CommentsJump to latest comment

KSchroeder's picture

Your only real option is option b; perhaps you can add a task which runs as the user to incorporate the proper keys (either via VBScript or reg.exe, for example) that is chained into the job post-installation.  Another approach (which requires the user logging off/logging on) is to configure an ActiveSetup routine.  There are many articles here on Connect and elsewhere that explain how to use ActiveSetup, so I won't go into detail.

To be honest, I haven't worked in 7.1 much yet to see how feasible it is to configure a job to run as the user following a machine-based install...but it seems it should be possible.

One other option which might work is to loop through any user registry hives at HKEY_USERS (excluding the system and Network Service, etc branches) and try to manually write the values there...though, they may not take effect until the user has logged off either.

Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.

JoeVan's picture

It is important to understand that HKCU is the user hive for the current user and is different for each user.  So you need to decide if you want the setting set for a specific user or for all users.  The other thing to understand is that user hives are typically not mounted and not accessible unless the user is logged in.  You can access these hives using the system account but you need to mount them first. 

Here is a VBS function I use from within Altiris scripts when I need to modify user hives.  You won't be able to use this as is because it references other functions from our custom library but you should get the idea of how it works. 

'Set USER level registry settings
Call WriteUserHiveSetting("\Software\ACME\SampleApp\Preferences", "ShowWelcomeScreen", 0, "REG_DWORD", "Disable Welcome Screen for SampleApp", "", "C:\temp\ACMESample.log")

Sub WriteUserHiveSetting(strHivePath, strRegValue, strRegData, strRegType, strRegDescription, strTrackingKey, strLogFile)
   ' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   ' Name: WriteUserHiveSetting(), v1.1.4894
   ' Description: Modifies a user registry hive setting in all user hives.
   ' Arguments:
   ' - strHivePath - Path within the user hive to modify. 
   ' - strRegValue - item in the registry key
   ' - strRegData - Data to put in the registry value
   ' - strRegType - Registry value type such as "REG_DWORD"
   ' - strRegDescription - Description of the key, used only for logging
   ' - strTrackingKey - registry value used to write tracking information, pass "" if tracking key not used
   ' - strLogFile - Name of log file to append or create
   ' Dependencies: GetEnvironVar(), GetRegKeyExists(), GetEnumRegKeys(), WriteRegValue(), WriteLogFile()
   ' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   ' Declare variables
   Dim objFso ' used for working with file system object
   Dim colKeys, strKey ' list of mounted user profiles
   Dim objWshShell ' used for working with shell object
   Dim objProfilesDir, objUserDir, strUserHive 'used for working with profile directories
   Dim intHiveLoad 'return code from mounting user registry hives
   ' Create objects
   Set objFso = CreateObject("Scripting.FileSystemObject")
   Set objWshShell = CreateObject("WScript.Shell")
   ' Log header for this sub - all other entries indented
   Call WriteLogFile(strLogFile, "*** Adjusting User Hives.  Purpose: " & strRegDescription & " ***")  
   '### Update MOUNTED user hives  ###
   'format the input strings
   If Left(strHivePath,1) <> "\" Then strHivePath = "\" & strHivePath
   'Determine list of local Profiles
   colKeys = GetEnumRegKeys("HKLM", "Software\Microsoft\Windows NT\CurrentVersion\ProfileList")
   For Each strKey in colKeys
      'Check to see if the SID is a valid, mounted hive
      If len(strKey) > 10 And Instr(strKey, "_Classes") = 0 And GetRegKeyExists("HKEY_USERS\" & strKey) Then
         Call WriteLogFile(strLogFile, "   ## Adding '" & strRegDescription & "' to MOUNTED User hive : " & strKey)
         Call WriteRegValue("HKEY_USERS", strKey & strHivePath, strRegValue, strRegData, strRegType, strTrackingKey, strLogFile)
      End If
   '### Update UNMOUNTED user hives ###
   Set objProfilesDir = objFso.GetFolder(GetEnvironVar("[PROFILESDIRECTORY]"))  
   For Each objUserDir in objProfilesDir.SubFolders
      strUserHive = objUserDir.path & "\ntuser.dat"
      If objFso.FileExists(strUserHive) And objUserDir.Name <> "All Users" And objUserDir.Name <> "LocalService" And objUserDir.Name <> "NetworkService" Then
         Call WriteLogFile(strLogFile, "   ## Preparing to mount user hive : " & objUserDir.Name)
         intHiveLoad = objWshShell.Run("reg load HKU\TEMP " & Chr(34) & strUserHive & Chr(34),0,True)
         'Check to see if there was a problem loading the hive
         If intHiveLoad = 1 Then
            Call WriteLogFile(strLogFile, "      Unable to mount User Hive into registry for " & & ". May already be mounted")
            Call WriteLogFile(strLogFile, "      Adding '" & strRegDescription & "' to " &
            Call WriteRegValue("HKEY_USERS", "TEMP" & strHivePath, strRegValue, strRegData, strRegType, strTrackingKey, strLogFile)
            'Unload the user registry hive
            objWshShell.Run "reg unload HKU\TEMP", 0, True
         End If
         WriteLogFile strLogFile, "      Completed processing user hive : " & objUserDir.Name        
      End If
End Sub

Joe VanHollebeke
Systems Engineer